SECURITY - PDF by maclaren1


									Hong Kong CERT/CC Security Bulletin                                                           October 2002

                         October 2002

Inside This Issue
 1       Virus Alert

 2       Guideline for Securing
         Wireless LAN Deployment

 6       Alert
                                                                Virus Alert
 8       Top News

13       Calendar of Events

                                            Hong Kong Computer Emergency Response Team Coordination
                                            Centre (HKCERT/CC) has found two worms on 1-Oct-2002 & 2-
                                            Oct-2002, you can visit the following web site:



Published by
Hong Kong CERT/CC

Sponsored by Innovation & Technology Fund

                                                 Page 1 of 13
Hong Kong CERT/CC Security Bulletin                                                               October 2002

                                                         an antenna to the AP or the client. WLAN uses a
      Guideline for                                      shared medium so you can expect collisions exist
                                                         that lower the effective bandwidth.
    Securing Wireless
    LAN Deployment                                       There are two modes of communication: ad-hoc
                                                         mode specifying the client-to-client communication
                                                         and infrastructure mode specifying client-to-hub
                                                         communication. In the infrastructure mode
                                                         communication, the hub or the Access Point
Wireless LAN (WLAN) is                                   connects all clients up to form a wireless network.
now widely deployed in                                   Each network has a Service Set Identifier (SSID) to
                Hong Kong.                               differentiate itself from the others. By default the
                You can find                             Access Point broadcasts the SSID periodically to let
                hotspots in                              users to locate the network.
                centres, Internet cafes, hotels and
                Airport now. It is not surprised to      IEEE 802.11b includes an optional security feature
see WLAN accessible along the street in the near         called the Wired Equivalent Privacy (WEP) to
future. Due to the flexibility in cabling and the low    encrypt the traffic between the client and the AP.
cost, home and corporate adoption of the                 The standard defines the 64-bit WEP key (with
technology is booming. WLAN, however, has its            40-bit secret key). Currently a stronger 128-bit
disadvantage in terms of security. If not properly       WEP (with 104-bit secret key) is commonly
deployed, it can bring about great security risks.       available. The client and the AP must agree on a
                                                         shared key before communication can be

What is 802.11b and Wi-Fi?
                                                         Vulnerabilities     and
Wireless LAN can be considered                           Risks of Wireless LAN
as an extension of the current
LAN technology. Instead of using
copper wired as the physical                             The greatest vulnerability of WLAN network is the
connection, high frequency radio                         lack of physical security. Unlike wired network,
wave is used to transmit signals.                        intruders do not need to enter your premise to
PCs equipped with a wireless                             connect to your wireless network and you have no
LAN adapter can connect to each other in a               good way of tracking who is connecting at any time.
network through the air. The most common WLAN
standard is IEEE802.11b (also named Wi-Fi). It
works on a bandwidth of maximum 11 Mbps on               The second security vulnerability comes from the
one of the 15 channels (in Hong Kong, use is             default settings of the WLAN devices. The default
limited to the first 11 channels) of the unlicensed      settings are there for ease of deployment and
2.4GHz band. The negotiated bandwidth can fall           compatibility. These settings allow non-technical
back from 11 Mbps to 5.5 Mbps and 2 Mbps when            users to connect and use WLAN without difficulty.
the signal is weak or the environment is noisy. The      Most users and companies do not change the
signal-to-noise ratio can be improved by attaching       default settings right after the deployment. Intruders

                                                 Page 2 of 13
Hong Kong CERT/CC Security Bulletin                                                                October 2002

can make use of these “convenience” to connect          •      Virus infection due to injected viruses by
your network as well. These are the well known                 intruders.
default settings in a WLAN access point (AP):
                                                        •      Damage to confidentiality, integrity and
                                                               availability when systems penetrated by
•   No encryption (WEP) used or using a default                intruders.
    encryption key                                      The damages might transform to
                                                        financial, trust and reputation
•   Default SSID (e.g. WaveLAN Network, default,
    wireless)                                           loss. You might have legal
                                                        liability by allowing this to
•   Default administrator name & password (and          happen     (e.g.  violation   of
    SNMP community string as well)                      agreement of usage, and claim of loss when your
•   DHCP enabled by default, automatically assign       network being used for hacking attack).
    IP address to all connected devices

The third vulnerability comes from the current          Wireless LAN Security Checklist
WLAN technology 802.11b. Firstly the 802.11b
incorporates no authentication mechanism and its
encryption protocol, the Wired Equivalent Privacy       Here is a checklist to secure your WLAN
(WEP) protocol has no automatic encryption key          deployment.
change mechanism. Besides, WEP is known to
have a flaw that allows collection of enough
packets to break the encryption.                        General Checklist to Home and Business
                                                        Use of WLAN
The last vulnerability is the
weakest link – human. Without                           1. Physical Security
a careful study of the risks
associated with the current                                    •   Do not put the WLAN Access Point (AP)
WLAN        technology,      some                                  close to window or door.
people are deploying WLAN for sensitive services.              •   Power-off when the access point not in use.
Some companies do not have control on their staff
plugging in APs to their internal network, opening a
backdoor to intruders and making the perimeter          2. Encryption of communication
firewall and internet antivirus gateway useless.
                                                               •   Turn on WEP encryption. The 128-bit key
                                                                   WEP is preferred over the 64-bit key.
The consequences of any intruder connecting to                 •   To further improve the security over time,
your WLAN network are:                                             change the WEP periodically.
•   Network resources (e.g. Internet bandwidth)
    being misused and productivity being affected.
                                                        3. Securing SSID
•   Information leakage due to network sniffing by
                                                               •   Change the default SSID to something else
    intruders outside your premise where you have
                                                                   for your network.
    no control of access.
                                                               •   If possible, turn off SSID broadcast (some
                                                                   AP manager GUIs provide such function,

                                                Page 3 of 13
Hong Kong CERT/CC Security Bulletin                                                                  October 2002

       sometimes called “closed network”). You           9. Legal and Ethical Responsibility
       need to tell individual users the SSID.
                                                                •   Unauthorized access of information system
                                                                    is a criminal offense. Do not try to connect
4. Controlling access to authorized WLAN card                       to others’ wireless networks and systems for
                                                                    curiosity, research or other intents. If you
   •   Turn on MAC Address filter to allow only                     find out your neighbour’s WLAN is
       authorized WLAN card to make connection.                     insecure, please inform them to get it fixed.
       This is effective if the list of WLAN cards is               As a responsible person, please do not
       manageable.                                                  disclose this vulnerability with owner name
                                                                    and location to a third party.

5. Controlling the IP network
   •   Disable DHCP service on the AP. Use static        Additional Checklist for Corporations
       IP address on wireless LAN client. Client
       without valid IP address cannot connect.
                                                         1. Proper use of technology
                                                                •   For very sensitive and serious services, you
6. SNMP configuration                                               have to assess the risk of WLAN before
   •   If your AP is configured using SNMP, make                    taking it as an option. Put in your budget the
       sure you change the default SNMP name                        extra cost of management and security
       and community string. Use a longer SNMP                      strategies in WLAN security protection
       community string with mix of numerals and                    before deploying WLAN.
   •   Enable SNMP access control list (ACL) to          2. Management Policy
       control who can configure the AP
                                                                •   Do not allow the staff to
   •   For security over time, change the SNMP                      build their own access
       community string periodically                                point. Carry out periodic
                                                                    check to audit if this
                                                                    policy is enforced.
7. Mobile Computing Security
   •   Most probably you are
       using     WLAN       with                         3. Perimeter Protection
       mobile devices. Make                                     •   Treat WLAN as untrusted network.
       sure you observe other                                       Segment wireless traffic in a separate
       mobile security issues                                       network. Install a properly configured
       (e.g. theft of hardware, lack of protection                  firewall between the wired infrastructure
       from corporate antivirus gateway and                         and the wireless network to manage traffic
       firewall) and deploy appropriate protections.                going into the internal network or service
8. Human Security
   •   Do not reveal your password, SSID, WEP            4. Switched network connection
       key and other security configurations to the             •   Connect APs to network switches (instead
       third party. When in doubt, change these                     of hubs) to avoid communication sniffing.

                                                 Page 4 of 13
Hong Kong CERT/CC Security Bulletin                                                               October 2002

5. Stronger Encryption
   •   WEP protocol has it flaw. Intruder can            If you have further questions, please contact us.
       collect enough packets to break the
       encryption. It is advisable for corporation to
       deploy Virtual Private Network (VPN)              Hong Kong Computer Emergency Response
       technology on top of WEP to encrypt               Team Coordination Centre (HKCERT/CC)
       wireless communications.

                                                         Tel : 8105 6060
6. Authentication                                        Fax : 8105 9760
   •   Consider other forms of                           Email :
       authentication     for   the
       wireless network (such as                         Web Page :
       RADIUS and Kerberos
       which       currently    are
       available for some products.)

7. Use Upgradeable Solution                              Extracted and modified from source:
   •   WLAN technology is evolving quickly.
       When choosing a WLAN solution, ensure             Wireless Security Blackpaper
       AP and wireless card can update the
       firmware. Keep WLAN devices firmware    
       update periodically.                              1.html

                                                         Low Cost Wireless Network How-to
Next Step of Wireless LAN Security

Two of the major security issues of WLAN are the         Many wireless networks open to attack
lack of authentication and the weakness in the WEP.
Some proprietary WLAN implementations, like
Cisco and Lucent, have included client
authentication from the 802.1x standard that is used     US Defense Department to restrict employee use of
in traditional Ethernet network. Some go a step          wireless devices
further to do mutual authentication of client and
server by adopting PKI. The Temporal Key
Integrity Protocol (TKIP), initially termed as WEP2,
was attempted to strengthen the encryption by using
dynamic WEP keys which changes every 10,000
packets. These security enhancements will be
available in the coming WLAN standards.

                                                 Page 5 of 13
Hong Kong CERT/CC Security Bulletin                                                                                     October 2002

 Date / Common Name Operating            Vulnerability                Impact                Patches / Workarounds / Solutions
 Source              System /              System                                           (Please check instructions carefully
                    Vendor /                                                                on related web site before applying
                    Platform                                                                           the solutions)
2002/09/16 Linux.Slapper.Wo • Linux    • Linux            • The worm uses the set of IP    New virus definition is available from anti-
           rm                                               addresses to attack new        virus vendors to detect and remove this
                                                            machines by randomly           virus.
                                                            scanning for Apache
                                                            systems.                       Note: Please follow the instruction of your
                                                          • The worm contains a            Anti-virus vendor to remove the virus and
                                                            backdoor that listens the      repair your system.
                                                            UDP port 2002, and can be
                                                            controlled remotely.

2002/10/01 W32.Bugbear@m • MS          • MS Windows • Attemps to mass-mail to              New virus definition is available from anti-
           m               Windows       95, 98, NT,    addresses harvested from a         virus vendors to detect and remove this
                                         2000, XP, ME   compromised host using it's        virus.
                                                        own SMTP engine.
                                                      • May allow unauthorized             Note: Please follow the instruction of your
                                                        access to compromised              Anti-virus vendor to remove the virus and
                                                        machines. Attempts to              repair your system.
                                                        terminate processes of
                                                        various antivirus and
                                                        firewall programs.

2002/10/02 W32.Opaserv.Wor • MS        • MS Windows • Attempts to spread to non-           New virus definition is available from anti-
           m                 Windows     95, 98, NT,  password protected shares.           virus vendors to detect and remove this
                                         2000, XP, ME                                      virus.

                                                                                           Note: Please follow the instruction of your
                                                                                           Anti-virus vendor to remove the virus and
                                                                                           repair your system.

                                               Bugs, Holes & Patches
2002/09/04 Flaw Could       • MS Visual • MS Visual       Attacker could gain control over Before installation of the software, please
           Enable Web Page    FoxPro 6.0  FoxPro 6.0      user's system.                   visit the software manufacturer web-site for
           to Launch Visual                                                                more details.
           FoxPro 6.0
           Application                                                                     Download locations for this patch
           Without Warning
                                                                                           MS Visual FoxPro 6.0:

                                                                                           Installation platforms:

                                                                                           This patch can be installed on systems
                                                                                           running Visual FoxPro 6.0. There are no
                                                                                           service pack requirements.

                                                         Page 6 of 13
Hong Kong CERT/CC Security Bulletin                                                                                          October 2002

 Date / Common Name Operating              Vulnerability                  Impact                 Patches / Workarounds / Solutions
 Source              System /                System                                              (Please check instructions carefully
                    Vendor /                                                                     on related web site before applying
                    Platform                                                                                the solutions)
2002/09/09 Certificate        • MS        • MS Windows Identity spoofing.                       Install the patch provided by manufacturer.
           Validation Flaw in   Windows   • MS Office for
           Windows Could                    Mac                                                 Please visit our web-site for more details.
           Enable Identity                • MS Internet                               
           Spoofing                         Explorer for
                                          • MS Outlook
                                            Express for

2002/09/06 Remotely           • Windows   • Windows       Remote code execution and        Before installation of the software, please
           Exploitable Buffer   2000/XP     2000/XP -     plaintext passphrase disclosure. visit the software manufacturer web-site for
           Overflow in PGP                  PGP Corporate                                  more details.
                                            Desktop 7.1.1
                                                                                           PGP has issued a fix for this vulnerability, it
                                                                                           is available at:


2002/09/19 Flaw in Microsoft • All builds • All builds of     Three vulnerabilities, the most   Before installation of the software, please
           VM JDBC Classes     of the       the Microsoft     serious of which could enable     visit the software manufacturer web-site for
           Could Allow Code    Microsoft    VM up to          an attacker to gain complete      more details.
           Execution           VM           and including     control over a user's system.
                                                                                                Download location for this patch:
                                             5.0.3805 are                                       Windows Update
                                             affected by                                        Installation platforms:
                                             vulnerabilitie                                     This patch to the Microsoft VM can be
                                             s.                                                 installed on systems that are already
                                                                                                running the 5.0.3805 version of the
                                                                                                Microsoft VM.
2002/09/26 Buffer Overrun in • MS        • MS FrontPage Buffer overrun or denial of             Install the patch provided by manufacturer.
           Microsoft           FrontPage   Server        service
           SmartHTML           Server      Extensions                                           Please visit our web-site for more details.
           Interpreter Could • MS          2000                                       
           Allow Code          Windows • MS FrontPage
           Execution           2000        Server
                             • MS          Extensions
                               Windows     2002
                               XP        • MS Windows
                                           2000 (shipped
                                           FPSE 2000)
                                         • MS Windows
                                           XP (shipped
                                           FPSE 2000)

                                                          Page 7 of 13
Hong Kong CERT/CC Security Bulletin                                                                                 October 2002

                                                                   Privacy experts said Citibank’s e-mails don’t appear to violate
                                                                   U.S. privacy laws, but they said the company might face
                                                                   inquiries from state attorneys general or the Federal Trade

                                                                   Commission if it failed to provide the security measures it told
                                                                   consumers were in place.           (from MSNBC)

                                                                   September 3, 2002
                                                                   2002 record year for cyber attacks
                                                                   According to security analyst mi2g the number of attacks in
                                                                   August reached 5,580 including a record 1,120 attacks on 18
                                                                   August alone.
                                                                   In particular, mi2g highlighted a growth in the number of pro-
September 2, 2002                                                  Islamic hacker groups coming together to launch digital
Microsoft beefs up Passport security                               attacks on the US, the UK, Israel and India since 11
                                                                   September.      (from Vnunet)
The changes could eliminate two of the biggest customer
gripes against Passport: That users can create accounts using
bogus e-mail addresses and that users cannot easily cancel         September 4, 2002
accounts they no longer wish to keep.                              More cyber-attacks coming from
Microsoft uses Passport authentication for its MSN Messenger       Malaysia
and Hotmail e-mail services, Microsoft Developer Network           Most of the probes made were
(MSDN) online access and Microsoft Reader e-book                   attempts to unveil vulnerable Web
purchases, among other product and service offerings. The          (Apache, Internet Information Server),
authentication service also is a cornerstone for .Net,             mail, DNS (BIND), FTP (WuFTP) and Proxy servers, the
Microsoft's slowly evolving Web services strategy. Third           company said in a press statement.
parties, such as eBay and Starbucks, also use Passport
authentication for delivering services.  (from CNET)               From the online forensics conducted by the company, it
                                                                   believes that these attempts employed tools and scripts to
                                                                   exploit commonly known vulnerabilities as part of the
September 3, 2002                                                  scanning activity, which in turn increases the speed of the
                                                                   overall propagation, resulting in the surge of activity.
Password guessing games with Check Point firewall                  (from CNET Asia)
Security researchers have discovered two potentially serious
flaws with Check Point's flagship FireWall-1 firewall which
give rise to both username guessing and sniffing issues.           September 5, 2002

The guessing rate is limited mostly by the firewall CPU rather     Windows 2000 hit by mysterious attacks
than by the Internet link speed, according to security testing     The software giant issued a security warning about the attacks,
specialists NTA Monitor, which discovered the problem. In          which seem to be based around Trojan horse programs, but
effect, this means that companies using a hi-spec firewall         unusually the firm has yet to suggest any protective measures.
server increase the speed at which an attacker can guess
passwords, NTA warns.        (from The Register)                   But more recent missives on the firm's website seem to
                                                                   indicate that the attacks are more likely to be the work of
                                                                   hackers rather than passive worm attacks. (from Vnunet)
September 3, 2002
Citibank mails raise privacy concern                               September 5, 2002
Citibank , in a move that has raised privacy concerns, used an     File-name flaw threatens PGP users
outside company to gather e-mail addresses of its credit-card
customers and then sent e-mails offering recipients access to      The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1.
sensitive financial data without verifying each address actually   Software maker Network Associates has posted a patch on its
belonged to the customer.                                          site. The company recently sold all PGP assets to a start-up,
                                                                   PGP Corp., but appears to still be providing support for the
                                                                   program. Neither company could be reached for comment.

                                                           Page 8 of 13
Hong Kong CERT/CC Security Bulletin                                                                                  October 2002

The flaw is unrelated to another theoretical vulnerability         September 9, 2002
discussed by security experts last month. Exploiting that flaw,
                                                                   Worldwide 'war drive'            exposes
someone could fool the sender of a PGP-encrypted e-mail into
                                                                   insecure wireless LANs
decoding their own message. Unlike the current flaw, that
vulnerability wouldn't give the attacker control of a computer.    Amateur wireless LAN sniffers detected
(from CNET)                                                        hundreds and potentially thousands of
                                                                   insecure business and home industry-
                                                                   standard wireless LANs in North
September 6, 2002                                                  America and Europe during the past
                                                                   week in a loosely organized electronic scavenger hunt dubbed
Klez attack may wipe out attacker
                                                                   the "Worldwide Wardrive."
The Klez.E variant runs a distant second to its far more
                                                                   The war-driving participants sniffed major technology and
prevalent Klez.H cousin, making up only 3 percent of the junk
                                                                   business centers such as Silicon Valley and Orange and San
e-mail associated with the Klez virus. Klez.H accounts for the
                                                                   Diego counties in California, as well as Chicago, Cleveland
other 97 percent.
                                                                   and Denver in the U.S. and the province of Alberta in Canada.
Klez.E arrives in e-mail and uses an old flaw in Microsoft         In Europe, the war drivers sniffed Barcelona, Spain, and
Internet Explorer to execute automatically. On infected PCs,       Cologne, Germany.           (from ComputerWorld)
the computer virus activates a malicious payload and
overwrites any file accessible to it. (from CNET Asia)
                                                                   September 9, 2002
                                                                   Security pros: Our defenses need work
September 6, 2002
                                                                   Though most corporate security professionals see network
Spam Versus Technology: The Battle Rages On
                                                                   protection as critical, they have only made modest gains in
This unsolicited e-mail, called spam, has permeated in-boxes       securing their companies, according to a report published
so thoroughly that efforts to stop the flow have become            Monday.
extreme. The U.S. Congress has hotly debated measures to
                                                                   At least one security professional questioned the findings of
alleviate the burden of overstuffed digital mailboxes, and
                                                                   the survey: specifically, that 70 percent of participants thought
software makers are scrambling to churn out newer, sharper
                                                                   that their company had adequately protected itself against
products for stemming the influx.
                                                                   hacking threats.      (from CNET)
Still, spam seems to persist with all the resilience of a plague
of mosquitoes. Are those who yearn for a spam-free existence
ever likely to see their wish granted? Unfortunately, say some     September 10, 2002
analysts, the answer may be a resounding no.               (from
                                                                   Insecurity plagues US emergency alert system
                                                                   A national alert system that gives the president the ability to
                                                                   take over the U.S. airwaves during a national crisis may
September 7, 2002                                                  inadvertently extend hackers the same courtesy, thanks to
                                                                   security holes that put radio stations, television broadcasters
MS flips on new 'global' Windows remote-root vuln
                                                                   and cable TV companies at risk of being commandeered by
A few days ago the rumours started: every currently-supported      anyone with a little technical know-how and some off-the-
version of Windows - that's -98 to -XP and everything in           shelf electronic components.
between - can be rooted by a novel means which MS regarded
                                                                   In the cold war days when we were talking about missiles
as a mystery. It seemed to be an automated, malicious bot
                                                                   coming over the poles there was a much stronger fear that all
which makes it possible to control the target machine via IRC,
                                                                   the broadcast authorities might have disappeared, and we
but it seemed not to replicate itself as a worm would do.
                                                                   needed a way for the President to commandeer the surviving
Of course the IRC connection tempts one to speculate that the      broadcasters.    (from The Register)
culprit is a malicious payload in some file commonly-traded in
IRC along the lines of, say,, but MS
was unable to noodle out if that was the case.      (from The

                                                           Page 9 of 13
Hong Kong CERT/CC Security Bulletin                                                                                 October 2002

September 10, 2002                                                The attack uses the INCLUDETEXT field, one of the many
                                                                  hidden fields embedded in Word documents, to copy text into
Virus-ridden UK spread email nasties
                                                                  a document opened on another computer. The file can be
The UK is one of the focal points of world                        hidden by using a small white font to make the appended text
email virus activity - and it is members of                       nearly invisible.     (from CNET)
the public that are causing the problem.
Fewer than half of UK homes own antivirus software, and of
                                                                  September 14, 2002
those only a minority update it regularly. (from Vnunet)
                                                                  Linux worm creating P2P attack network
                                                                  A new worm that attacks Linux Web servers has compromised
September 11, 2002
                                                                  more than 3,500 machines, creating a rogue peer-to-peer
Sept. 11: A year later, online privacy and security still         network that has been used to attack other computers with a
weak                                                              flood of data.
A year after the Sept. 11 terrorist attacks, average Americans    Though the rogue peer-to-peer network of compromised
are subject to more surveillance when they go online, and their   servers is still being created, it has already been used to attack
Internet-connected PCs may not be any safer from intruders.       the DNS servers of a major Internet service provider,
                                                                  according to a statement posted on the Internet Storm Center,
Overall, computer security hasn't improved much in the past
                                                                  a Web site that tracks security incidents on the Net by
year. The continued nuisance of persistent worms and viruses      correlating data among voluntarily submitted firewall logs.
such as Klez is punctuated with almost-weekly news alerts         (from CNET)
about dangerous network security vulnerabilities involving
Microsoft Windows and its applications.               (from
                                                                  September 16, 2002
                                                                  The Coming Virus Armageddon
September 11, 2002
                                                                  Computer virus writers are known for building on each other's
Oracle calls for Web services unity                               work to create ever-deadlier malware. In the future, a truly
                                                                  malicious code might not create an immediate uproar by
The database vendor wants the World                               hitting the Internet with a big bang. Instead, it could slowly
Wide Web Consortium (W3C) at its                                  and quietly seize control of a vast number of computers, doing
meeting in Washington beginning                                   significant but not immediately apparent damage to data.
today to form an industry wide
working group to guide development                                As we proliferate more and more and more - streaming media,
of standards governing Web services                               video, new media, cell phones, PDAs and other
choreography. Under Oracle's plan, the working group would        internetworked devices, including the automobile - all of those
develop a unified choreography language to be based on Web        things are going to be eligible for viruses.              (from
Services Description Language.                                    NewsFactor)
The proposal is to be made at a meeting of the W3C Web
Services Architecture Working Group. Oracle pledges to have
                                                                  September 16, 2002
support from several other companies.                 (from
ComputerWorld)                                                    Mozilla Privacy Leak Reported
                                                                  A "serious" privacy leak in Mozilla--and other browsers based
                                                                  on the open-source technology, such as Netscape and Galeon -
September 12, 2002
                                                                  discloses users' Web surfing information, according to a
Microsoft warns of thieving Word docs                             recent report.
A would-be thief would have to take extraordinary care in         Microsoft says its SP1 for IE 6 fixes addresses more than 300
setting up the scenario, however, including knowing the exact     issues with the browser, which first shipped last October with
location and name of the desired file as well as persuading the   Windows XP. However, some bug hunters say flaws remain,
victim to open, modify, save and then return the Word             despite the update.    (from PC World)
document to the sender.

                                                         Page 10 of 13
Hong Kong CERT/CC Security Bulletin                                                                                October 2002

September 17, 2002                                                He recommends Federal funds should be set aside for research
                                                                  and development of internet and software security, he again
Airport    WLANs           lack
                                                                  names BGP (border gateway protocol) and DNS (domain
                                                                  name system) as priorities. (from The Register)
While U.S. airlines and airports
have beefed up physical
security during the past year,                                    September 23, 2002
wireless LANs continue to be potential IT security problems
                                                                  Arrest for Slapper author
for some airports, according to an informal audit done earlier
this month by an executive at a wireless security firm.           A suspect has been arrested on suspicion of authoring the
                                                                  Slapper worm.
Wireless LANs used at four major airports in applications
such as passenger check-in and baggage transfers were             With around 6,000 machines infected, the ISC last week
operating without even some of the most basic forms of            declared a yellow alert. But Slapper's threat petered out before
security protections. (from ComputerWorld)                        the worm hit anything like Code Red or Nimda proportions,
                                                                  which affected 400,000 and 86,000 servers respectively.
                                                                  (from Vnunet)
September 18, 2002
White House report to call for tougher net security
                                                                  September 23, 2002
President George Bush's senior internet security advisor will
                                                                  Lending spammers a helping hand
this morning present the IT industry with a set of
recommendations, almost a year in the making, on how the          According to operators of spam-filtering lists, an alarming
internet can be secured against criminals and terrorists.         number of people are unwittingly helping junk mailers shuttle
                                                                  spam, or unsolicited bulk e-mail. Those unassuming victims
Security companies are expecting a generalized call to arms
                                                                  are running software meant to allow multiple connections over
from the report, with a focus on cooperation and information
                                                                  a LAN (local area network) to the Internet through a single
sharing, but some parts of earlier drafts of the document, such
                                                                  line, or what's known as proxy servers.
as a part lambasting wireless networks or mandating personal
firewalls, have reportedly been removed after lobbying from       The problem has grown so quickly that some blocklist owners
tech firms. (from The Register)                                   estimate that between 30 percent and 80 percent of the spam
                                                                  attacks today are caused by open proxies.  (from CNET)

September 19, 2002
                                                                  September 23, 2002
Linux rootkit hacker suspect arrested in UK
                                                                  New laws make hacking a black-and-white choice
A 21-year old from Surbiton, Surrey has been arrested on
suspicion of writing and distributing the T0rn rootkit, which     This summer, the consultant with security firm Secure
dumbs down the process of hacking Linux servers.                  Network Operations had let HP know of nearly 20 holes in its
                                                                  Tru64 operating system. But in late July, when HP was
Today the man was released on police bail until October
                                                                  finishing work to patch the flaws, another employee of
pending further inquiries. (from The Register)
                                                                  Finisterre's company publicly disclosed one of the
                                                                  vulnerabilities and showed how to exploit it.
September 20, 2002                                                Making the situation more difficult is the amorphous
                                                                  definition of ethical hacking. Although the subject has been
Experts say White House protocol
                                                                  addressed extensively in law and ethics philosophy, rarely a
upgrade advice is serious
                                                                  month goes by without a debate over whether a particular
According        to     these      experts,                       vulnerability had been disclosed responsibly.          (from
vulnerabilities in these protocols mean                           CNET)
it could just be a question of when they
are exploited in an attack, not if. And
the target would not be a sole wired entity, but the entire
internet, or large portions of it.

                                                         Page 11 of 13
Hong Kong CERT/CC Security Bulletin                                                                               October 2002

September 24, 2002                                               Today's security devices frequently have their own proprietary
                                                                 control software and lack the ability to correlate information
U.S. warns Nigeria over online fraud schemes
                                                                 about what potential attacks each device may be seeing. That
Online schemes operating out of Nigeria that have defrauded      leaves system administrators with the horrendous job of trying
victims out of tens of millions of dollars have become so        to wade through a flood of data on potential attacks.
pervasive that the U.S. government has given the West            (from CNet)
African country until November to take steps to decrease such
crimes or face sanctions.
                                                                 September 27, 2002
Some of the criminals are full-time professionals who have set
up sophisticated but bogus e-commerce fronts with high-class     Hacker groups declare war on
Web sites, according to Emmanuel Akutu of Softrail Nigerias.
                                                                 According to Mi2g, malicious hacker groups such as
(from ComputerWorld)
                                                                 S4t4n1c_S0uls, USG, WFD, EgyptianHackers, Arab VieruZ,
                                                                 MHA, The Bugz and FBH, as responsible for many anti-
                                                                 Israeli and anti-Indian attacks, as well as the US targets.
September 24, 2002
                                                                 This month, US-registered domains suffered the most, with
Aussies protest MS security advice
                                                                 4,157 attacks, well ahead of the number two nation on the list
Citing Microsoft's own somewhat patchy security record,          Brazil which suffered 835 attacks. The UK, Germany and
Australian industry commentators have called into question       India were next most popular targets, with less than 400
the software maker's worthiness to advise the Federal            attacks each.     (from The Register)
Government on the country's cyber security policy.
Microsoft has yet to respond to ZDNet Australia by time of
                                                                 September 27, 2002
publication. Therefore, it is not known whether Microsoft is
advising the government on security or whether the               Online payment service PayPal hit by scam
government is suggesting ways for Microsoft to improve its
                                                                 During the past two weeks, online payment service PayPal Inc.
products.     (from ZDNet)
                                                                 has been targeted by scam artists trying to get the personal
                                                                 information of its users, including credit card data, user names
                                                                 and passwords.
September 25, 2002
                                                                 [These scams] happen often, and they happen often to
Privacy battle seen as a 'gathering
                                                                 successful Web sites like eBay, PayPal and other financial
                                                                 services sites  (from ComputerWorld)
When corporate privacy officers and
legal experts get together for privacy
conferences they typically worry and
warn about how legislative actions by Congress, the states and
local municipalities will affect systems and bottom lines.
There's never a shortage of dire, worst-case predictions.
According to the National Business Coalition on E-Commerce
and Privacy, a Washington-based group that represents large
financial services firms and retailers, 548 privacy bills were
introduced in state legislatures this year. Some have already
been enacted: San Mateo County in California recently set
restrictions on data sharing and is now facing a court battle
with the state's large banks, and North Dakota residents
recently voted for restrictions.   (from Computerworld)

September 26, 2002
Network security gets unified
Driven by companies exasperated with managing a slew of
security devices that don't play well together, three of the
industry's goliaths have this week unveiled unification
strategies for their standalone network-protection products.

                                                        Page 12 of 13
Hong Kong CERT/CC Security Bulletin                                                                                   October 2002

                                                                    INFORMATION SECURITY FUNDAMENTALS
                                                                    ORGANIZER   HKPC

                                                                    PLACE       1/F HKPC BUILDING, 78 TAT CHEE AVENUE, KOWLOON
                                                                    DATE & TIME NOVEMBER 28-29, 2002 (9:30AM-5:30PM)
EVENTS                                                              LANGUAGE    ENGLISH
                                                                    FEE         HK$ 4,000 PER PARTICIPANT
                                                                                HK$ 3,600 PER PARTICIPANT (EARLY BIRD RATE -
                                                                                ENROLMENT BEFORE 21 NOVEMBER, 2002)
                                                                                MEMBERS OF ORGANIZATION AND SUPPORTING
                                                                                ORGANIZATIONS HAVE FURTHER DISCOUNT OF HK$400
                                                                    ENQUIRY     2788 5427

ORGANIZER   HKPC                                                    BS7799 THE ESSENTIAL OF INFORMATION SECURITY
            KNOWLEDGE NETWORK ASIA LTD.                             MANAGEMENT
                                                                    ORGANIZER   HKPC
DATE & TIME OCTOBER 16-18, 2002 (9:30AM-5:30PM)
FEE         HK$ 5,600 PER PARTICIPANT                               DATE & TIME DECEMBER 9-10, 2002 (9:30AM-5:30PM)
            ENROLMENT BEFORE 7 OCTOBER, 2002)
                                                                    LANGUAGE    CANTONESE

            ORGANIZATIONS HAVE FURTHER DISCOUNT                                 HK$ 3,800 PER PARTICIPANT (EARLY BIRD RATE -
                                                                                ENROLMENT BEFORE 2 DECEMBER, 2002)
ENQUIRY     2788 5427
                                                                                MEMBERS OF ORGANIZATION AND SUPPORTING
                                                                                ORGANIZATIONS HAVE FURTHER DISCOUNT OF HK$200
                                                                    ENQUIRY     2788 5427

            BCP ASIA
DATE & TIME NOVEMBER 11-13, 2002 (9:30AM-5:30PM)
                                                                           FOR FURTHER INFORMATION,
                                                                                PLEASE CONTACT
            ENROLMENT BEFORE 4 NOVEMBER, 2002)
            MEMBERS OF ORGANIZATION AND SUPPORTING                 Tel: (852) 8105 6060
ENQUIRY     2788 5427                                              Fax: (852) 8105 9760

                                                                   Web Site:

                                                                             Hong Kong Computer
                                                                           Emergency Response Team
                                                                             Coordination Centre

                                                           Page 13 of 13

To top